HIPAA Compliance in 2015, Part I: Why Does My Organization Need to Become HIPAA-Complaint?

This is part one of a four-part series on HIPAA compliance. The series’ purpose is to provide a practical overview of HIPAA compliance that can be used to guide your organization’s regulatory compliance programs. HIPAA’s requirements have changed a lot over the past few years, producing legal and best-practice complexities that have quickly rendered existing HIPAA compliance programs obsolete.

It’s the start of a new year and time to re-focus on what will promote your organization’s continued growth, and even more importantly, identify the areas of vulnerability that could be fatal to success.

For those companies subject to HIPAA, this means creating a HIPAA compliance program that effectively implements current HIPAA rules to protect against data breaches and data loss. In other words, if you want to avoid substantial government fines for HIPAA noncompliance (and the bad publicity that follows), read on.

HIPAA Breach Statistics: HIPAA Fines and Penalties

In years past, companies chose to forego the expense of time and resources necessary to become HIPAA-compliant. This was a business decision supported by the belief that HIPAA fines and penalties were essentially toothless. And up until about 2009, these companies were right – HIPAA enforcement was not a government priority, and the relatively lax requirements didn’t strike fear into the nation’s HIPAA Compliance Officers.

Things have changed drastically.

HIPAA fines are levied by the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). From 2009 – 2013 (data for 2014 is still being compiled), there were 49,375 complaints lodged with OCR regarding HIPAA violations. Of those complaints, roughly 30% led to fines. These fines amounted to $25,980,500.

The government has collected millions of dollars from non-compliant healthcare organizations. The financial hit to these companies was severe, but not as harmful to their business as the loss of reputation and good will: money can be earned again, but in many cases, customer trust cannot.

Experts agree that the future will be ripe with HIPAA fines and penalties as OCR continues to strengthen and develop its auditing programs. In fact, the initial OCR audit program, which began in 2011, showed a disproportionate uptick in fines. It’s apparent that increase government awareness has resulted in higher and more frequent fines. This trend will continue to mature in years to come, making HIPAA compliance even more important to the longevity of your business.

OCR Pilot Program

In 2011, OCR commenced its Pilot Audit Program. This program assessed 115 covered entities to determine the extent of their HIPAA compliance, and effectively marked the government’s revitalization of HIPAA compliance enforcement. Almost 90% of the organizations audited had instances of non-compliance. During these audits, and upon their completion in 2012, it became clear to the health care industry that adherence to HIPAA requirements was a business necessity.

While OCR’s pilot program is finished, it added a bite to HIPAA’s bark, and let organizations know that the government is cracking down on HIPAA compliance. The close of the pilot program doesn’t mean that OCR has lost interest in enforcing HIPAA standards. In fact, just the opposite is true.

Audit Program Phase 2

Phase 2 of the audit program will target business associates as well as covered entities. (“Business associates” are those companies that handle protected health information on behalf of a covered entity.) It was set to begin in fall 2014, but the start date was pushed back to an unspecified time in 2015. The Phase 2 audits will concentrate on the areas that the Pilot Program identified as being high risk, such as risk assessments, privacy practice notices, breach notification, and access controls. So, in many ways, Phase 2 is a true continuation of the pilot program, and will seek to ensure that health care organizations are addressing the more common areas of HIPAA non-compliance.

Unlike the pilot program, in which OCR contracted with a vendor (KPMG) to do the assessments, Phase 2 will be conducted by OCR staff. OCR plans to conduct “desk audits,” meaning it will review documentation provided by the audited organization instead of performing site visits. This means that the audited organizations will not have an opportunity to discuss compliance issues with the government, ask questions or provide clarification. Basically, what is submitted will represent the absolute entirety of what OCR will review. This method requires that the policies and procedures submitted be exceptionally comprehensive and clear.

The delay in Phase 2’s implementation is a good thing because it gives your organization more time to prepare for a potential audit. Take advantage of the time, and even if your company has a robust HIPAA compliance program in place, the manner in which OCR wants to be presented with your policies and procedures may require some significant editing and revisions.

Current HIPAA Enforcement: Key Takeaways

The government is taking HIPAA compliance very seriously, and it will continue to levy steep fines on non-compliant organizations. To be frank, the time to become HIPAA compliant has passed. If your organization hasn’t assessed its HIPAA compliance recently, or at all, all indicators predict your receipt of a government punishment. And don’t forget about your clients and customers – the individuals whose data your organization maintains. Data breaches are astoundingly commonplace these days. Losing your clients’ health and other sensitive information will quickly lead to devastated revenue, loss of reputation and even class action and other litigation.

The government and the public at large expect organizations to comply with HIPAA’s security and privacy rules. In today’s regulatory environment, the organizations that regard HIPAA as an afterthought will find themselves out of business.